DDoS attacks spreading through ‘GodMode’ exploit – CVE-2014-6332

We have recently observed an increase in the exploitation of the famous ‘GodMode’ exploit of the vulnerability CVE-2014-6332. The reliable proof of concept (POC) or exploit code for CVE-2016-6332 is readily available on the Internet. This makes it easy for attackers to integrate the exploit in various campaigns. They just have to flip the malware payload to start a new campaign. Most of the active Exploit Kits (EKs) such ‘RIG’ and ‘Sundown’ have integrated exploits for CVE-2014-6332. Apart from EKs, the exploit is also spreading through various compromised, malicious websites.

In this blog post, we will take a look at the one such attack where exploitation of the ‘GodMode’ vulnerability CVE-2014-06332 was dropping a malware payload called DDoS Nitol.

Exploitation Cycle

The exploit was being dropped from domain ‘1128[.]me’ and was resolving to IP 43.249.8[.]78. The exploit domain is registered in ‘Panama’ as per whois lookup. The Geo-location of the IP lies in ‘China’. The domain names observed in the DDoS campaigns were short in length and had numerical values as part of the domain name.

Fig 1. Exploitation Cycle

Exploit Analysis

The exploit first does version checking of Windows OS and Internet Explorer to check the compatibility. The exploit code only gets loaded on 32 bit Windows OS and on Internet Explorer.

Fig 2. Version Checking of Windows OS and Internet Explorer

After version checking, the exploit code moves ahead and the function ‘Over’ is called. The type confusion vulnerability is triggered when resizing of array ‘aa’ is done. The detailed analysis of the vulnerability can be found here.

Fig 3. Vulnerability (CVE-2014-06332) trigger code

Disabling ‘safemode’ Flag

By default, the usage of VBScript functionality in browsers is restricted. This restriction is a controlled by ‘safemode’ flag. The default value of ‘safemode’ flag is always ‘0xE’. If the default value of ‘safemode’ flag is changed then using VBScript, malicious activity can be performed. Controlling of ‘safemode’ flag using VBScript in web browsers has been called ‘GodMode’. Thus, this exploit is famously known as ‘GodMode’ exploit.

At the time of analysis, the CnC server was inactive, so we did not receive actual commands from the server. The unidentified CnC parameters in the commands listed below are mentioned with ‘%s’ or ‘%d’. The malware supports 22 commands which specify the type of DDoS attacks to be carried out on the target website. The CnC commands also access various types of resources such as text, image, etc., for the attack. They also use different user agents such as ‘Baiduspider’. Below are some of the DDoS commands.

DDoS Commands

Fig 11. DDoS commands

The following figure shows the loop for DDoS attacks carried out through ‘send’ API request.

Fig 12. DDoS Attack Loop

Also, you can see many branches coming to the same code at the top, as shown in Fig 12. This is because commands are different but many of them use same ‘send’ API for the attack.

The CnC server address is kept in an encrypted form in malware payload; a two-level encryption is used. The first level is base64 and second level is custom ADD + XOR encryption as shown in Fig 13.

Fig 13. CnC URL encryption/decryption

DDoS.Nitol Hits Trend

As observed in Quick Heal Labs, below is the trend of the DDoS Nitol over the last month.

Fig 14. DDoS Nitol hits trend

Indicator of Compromise

Exploit Server IP

43.249.8[.]78

Exploit URL

1128[.]me

Payload MD5

0B15E700EE99383BAD9915F0FB939D3D

Payload Filename

ax.exe

Paylaod CnC URLs

hack.1128[.]me:520
ip.yototoo[.]com

Conclusion

By using reliable exploit codes available on the Internet for CVE-2014-6332, it’s becoming easier for attackers to launch various types of mass infection campaigns. As we have seen in this case, a DDoS attack can be launched by dropping the DDoS malware Nitol. With the network spreading functionality inside, Nitol makes it for a deadlier attack as it can compromise mass machines present on the network. We strongly recommend users to update the Windows Operating Systems and use a multilayered security software such as Quick Heal.